specification
specification copied to clipboard
CycloneDX
OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and V...
Currently, an SBOM could be declared as `aggregate=complete` without offering evidence. Ideally a suitable evidence must be presented under declarations.[evidence](https://cyclonedx.org/docs/1.6/json/#declarations_evidence) for such [claims](https://cyclonedx.org/docs/1.6/json/#declarations_claims), using the bom-ref as the link. Currently,...
We currently do not have a way to track the full list of all contributors for a component version. Since contributors could be different from authors, we need a better...
Currently, a component has a bom-ref, while the BOM has a serialNumber. Growing number of ASOC and Vulnerability Management platforms aggregate several components from across BOMs into a single database....
Currently, externalReferences supports both URL and BOM-Link. There are some types that are better expressed with BOM-Link and therefore must be preferred over a URL. Below are some types: -...
The documentation for swhid is below: > Asserts the identity of the component using the Software Heritage persistent identifier (SWHID). The SWHID, if specified, MUST be valid and conform to...
Deprecate publisher in favor of a strongly typed publisherContact of type organizationalContact https://github.com/CycloneDX/specification/blob/master/schema/bom-1.6.schema.json#L906-L910 This will allow organizations to analyze for publisher related risks better and avoid the use of components...
Consider enhancing `organizationalContact` to support the following: - public gpg key bom-ref - This is especially useful to verify publishers and identify all components published with the same key. Tools...
Currently specVersion is a [string](https://github.com/CycloneDX/specification/blob/master/schema/bom-1.6.schema.json#L25). This is creating confusion when consuming tools treat this value as both string and integer. Example: https://github.com/CycloneDX/cyclonedx-maven-plugin/blob/925b04fdd74e4e412e1cc06d7fad9e7a102e329c/src/main/java/org/cyclonedx/maven/DefaultModelConverter.java#L236 https://github.com/CycloneDX/cyclonedx-maven-plugin/blob/925b04fdd74e4e412e1cc06d7fad9e7a102e329c/src/it/makeBom/verify.groovy#L11 https://github.com/DependencyTrack/dependency-track/blob/b40ea44864d006079d38a8d159c2d9d1c5fb04f7/src/main/java/org/dependencytrack/model/Vex.java#L131
The documentation for [swhid](https://cyclonedx.org/docs/1.6/json/#components_items_swhid) suggests to include an evidence for identity. Often the swhid could be obtained by performing a search (manual and automated) on the official site https://archive.softwareheritage.org Consider...
Related to #440 A given component identified by a purl could contain sub-components that could be identified by granular blobs. For instance, an swhid could map to five kinds of...